SS Network Troubleshooting - ryzendew/Linux-Tips-and-Tricks GitHub Wiki

SS (Socket Statistics) Network Troubleshooting for Beginners

Table of Contents

  1. :pencil: What is ss?
  2. :zap: Basic Commands
  3. :mag: Viewing Network Connections
  4. :desktop: Filtering by Protocol
  1. :mag_right: Filtering by Connection State
  1. :target: Filtering by Port
  1. :globe_with_meridians: Filtering by Address
  1. :bar_chart: Network Statistics
  1. :wrench: Advanced Options
  1. :bulb: Common Troubleshooting Scenarios
  1. :keyboard: Quick Reference
  1. Summary

:pencil: What is ss?

  • ss (Socket Statistics) is a modern replacement for the older netstat command
  • It displays network socket connections and statistics
  • Faster and more feature-rich than netstat
  • Part of the iproute2 package (usually pre-installed on modern Linux systems)

What ss can do:

  • Show all network connections (TCP, UDP, Unix sockets)
  • Display listening ports
  • Show process information using sockets
  • Filter connections by state, port, address
  • Display network statistics
  • Troubleshoot network connectivity issues

Why use ss instead of netstat?

  • Faster performance
  • More detailed information
  • Better filtering options
  • Actively maintained
  • More accurate process information

:zap: Basic Commands

Getting Help

ss --help

Shows all available ss options and filters.

Check Version

ss --version

Shows the version of ss and iproute2 package.

:mag: Viewing Network Connections

Show All Connections

ss

What this does:

  • Shows all active network connections
  • Displays TCP, UDP, and Unix socket connections
  • Shows local and remote addresses with ports

Example output:

Netid State    Recv-Q Send-Q        Local Address:Port     Peer Address:Port Process                                     
udp   ESTAB    0      0      192.168.2.152%enp6s0:68        192.168.2.1:67                                               
udp   ESTAB    0      0             192.168.2.152:33766 142.176.208.109:443   users:(("msedge",pid=766386,fd=63))        
tcp   ESTAB    0      0                 127.0.0.1:35504       127.0.0.1:37431 users:(("steamwebhelper",pid=754584,fd=29))

What each column means:

  • Netid: Network protocol (tcp, udp, unix, etc.)
  • State: Connection state (ESTAB, LISTEN, TIME-WAIT, etc.)
  • Recv-Q: Receive queue (data waiting to be received)
  • Send-Q: Send queue (data waiting to be sent)
  • Local Address:Port: Your machine's IP and port
  • Peer Address:Port: Remote machine's IP and port
  • Process: Process using the socket (if available)

Show All Connections (Detailed)

ss -a

What this does:

  • Shows all sockets including listening and non-listening
  • Includes all connection states
  • More comprehensive than basic ss

When to use it:

  • Troubleshooting network issues
  • Finding all network activity
  • Comprehensive network audit

Show Listening Ports

ss -l

What this does:

  • Shows only sockets that are listening for connections
  • Displays services waiting for incoming connections
  • Useful for finding what ports are open

Example output:

State  Recv-Q Send-Q Local Address:Port  Peer Address:PortProcess                                     
LISTEN 0      128        127.0.0.1:27060      0.0.0.0:*    users:(("steam",pid=754261,fd=98))         
LISTEN 0      128        127.0.0.1:57343      0.0.0.0:*    users:(("steam",pid=754261,fd=58))         
LISTEN 0      4096      127.0.0.54:53         0.0.0.0:*                                               
LISTEN 0      128          0.0.0.0:27036      0.0.0.0:*    users:(("steam",pid=754261,fd=154))

When to use it:

  • Finding what services are listening
  • Checking if a port is open
  • Security auditing
  • Troubleshooting "port already in use" errors

Show Process Information

ss -p

What this does:

  • Shows which process is using each socket
  • Displays process name and PID
  • Requires root privileges for all processes

Example:

sudo ss -p

What you'll see:

users:(("steam",pid=754261,fd=98))

When to use it:

  • Finding what process is using a port
  • Troubleshooting port conflicts
  • Identifying network activity by process

Show Numeric Addresses (No DNS Lookup)

ss -n

What this does:

  • Shows IP addresses instead of hostnames
  • Faster (no DNS resolution)
  • More accurate for troubleshooting

When to use it:

  • Faster output
  • Avoiding DNS lookup delays
  • When DNS is not working
  • Scripting and automation

Show Resolved Hostnames

ss -r

What this does:

  • Resolves IP addresses to hostnames
  • Shows domain names instead of IPs
  • Slower but more readable

When to use it:

  • Human-readable output
  • Understanding what hosts you're connected to
  • Network analysis

:desktop: Filtering by Protocol

Show Only TCP Connections

ss -t

What this does:

  • Shows only TCP (Transmission Control Protocol) connections
  • TCP is connection-oriented and reliable
  • Most common protocol for web, SSH, email, etc.

Common TCP states:

  • ESTAB - Established connection
  • LISTEN - Listening for connections
  • TIME-WAIT - Connection closing
  • CLOSE-WAIT - Remote closed, local closing
  • SYN-SENT - Connection request sent
  • SYN-RECV - Connection request received

Show Only UDP Connections

ss -u

What this does:

  • Shows only UDP (User Datagram Protocol) connections
  • UDP is connectionless and faster
  • Used for DNS, DHCP, streaming, gaming

UDP states:

  • UNCONN - Unconnected
  • ESTAB - Established (UDP doesn't really establish, but shows active)

Show TCP and UDP Together

ss -tun

What this does:

  • Shows both TCP and UDP connections
  • Numeric addresses (no DNS lookup)
  • Common combination for network troubleshooting

When to use it:

  • Quick overview of all network activity
  • Troubleshooting network issues
  • Most common ss command combination

Show TCP, UDP, and Process Info

ss -tunp

What this does:

  • Shows TCP and UDP connections
  • Numeric addresses
  • Process information

Example:

sudo ss -tunp

When to use it:

  • Complete network overview
  • Finding what's using network ports
  • Comprehensive troubleshooting

:mag_right: Filtering by Connection State

Show Established Connections

ss -tn state established

What this does:

  • Shows only active, established TCP connections
  • Filters out listening, closed, and other states
  • Shows current active network sessions

When to use it:

  • Seeing active connections
  • Monitoring current network activity
  • Finding active sessions

Show Listening Sockets

ss -tn state listening

What this does:

  • Shows only sockets listening for connections
  • Displays services waiting for incoming connections
  • Equivalent to ss -tln but more explicit

Example output:

Recv-Q Send-Q Local Address:Port  Peer Address:Port
0      128        127.0.0.1:27060      0.0.0.0:*   
0      128        127.0.0.1:57343      0.0.0.0:*   
0      4096      127.0.0.54:53         0.0.0.0:*   
0      128          0.0.0.0:27036      0.0.0.0:*

When to use it:

  • Finding open ports
  • Security auditing
  • Checking if a service is listening

Show All Connection States

ss -tn state all

What this does:

  • Shows connections in all states
  • Includes established, listening, time-wait, close-wait, etc.
  • Most comprehensive view

Common states:

  • established - Active connection
  • syn-sent - Connection request sent
  • syn-recv - Connection request received
  • fin-wait-1 - Connection closing
  • fin-wait-2 - Waiting for remote close
  • time-wait - Connection closed, waiting
  • close - Connection closed
  • close-wait - Remote closed, local closing
  • last-ack - Waiting for final acknowledgment
  • listen - Listening for connections
  • closing - Both sides closing

:target: Filtering by Port

Show Connections on Specific Port

ss -tn sport :22

What this does:

  • Shows connections with source port 22
  • sport = source port (port on your machine)
  • Useful for finding connections from a specific port

Example:

ss -tn sport :80

Shows all connections originating from port 80.

Show Connections to Specific Port

ss -tn dport :80

What this does:

  • Shows connections with destination port 80
  • dport = destination port (port on remote machine)
  • Useful for finding connections to a specific service

Example:

ss -tn dport :443

Shows all HTTPS connections (port 443).

Show Connections on Any Port

ss -tn port :22

What this does:

  • Shows connections on port 22 (either source or destination)
  • Matches both sport :22 and dport :22
  • Useful when you don't care about direction

Example:

ss -tn port :80

Shows all connections involving port 80.

Show Connections in Port Range

ss -tn dport :8000-9000

What this does:

  • Shows connections to ports 8000 through 9000
  • Useful for finding connections in a port range
  • Can use with sport for source port ranges

Example:

ss -tn dport :1024-65535

Shows connections to high-numbered ports (non-privileged ports).

:globe_with_meridians: Filtering by Address

Show Connections to Specific IP

ss -tn dst 192.168.1.100

What this does:

  • Shows connections to IP address 192.168.1.100
  • dst = destination address
  • Useful for monitoring connections to a specific host

Show Connections from Specific IP

ss -tn src 192.168.1.100

What this does:

  • Shows connections from IP address 192.168.1.100
  • src = source address
  • Useful for monitoring connections from a specific host

Show Connections to Specific Network

ss -tn dst 192.168.1.0/24

What this does:

  • Shows connections to the 192.168.1.0/24 network
  • Uses CIDR notation for network ranges
  • Useful for monitoring local network traffic

:bar_chart: Network Statistics

Show Summary Statistics

ss -s

What this does:

  • Shows summary statistics of all sockets
  • Displays totals by protocol
  • Quick overview of network activity

Example output:

Total: 1434
TCP:   58 (estab 27, closed 17, orphaned 0, timewait 10)

Transport Total     IP        IPv6
RAW	  1         0         1        
UDP	  20        14        6        
TCP	  41        39        2        
INET	  62        53        9        
FRAG	  0         0         0

What it shows:

  • Total number of sockets
  • TCP connections by state
  • Breakdown by transport protocol
  • IPv4 vs IPv6 statistics

When to use it:

  • Quick network overview
  • Monitoring network activity
  • Understanding network load

:wrench: Advanced Options

Show Extended Information

ss -e

What this does:

  • Shows extended socket information
  • Includes user ID, inode, and other details
  • More detailed than basic output

Show Memory Usage

ss -m

What this does:

  • Shows memory usage for each socket
  • Displays socket buffer sizes
  • Useful for troubleshooting memory issues

Show Timer Information

ss -o

What this does:

  • Shows TCP timer information
  • Displays connection timers and timeouts
  • Useful for troubleshooting connection issues

Show Internal TCP Information

ss -i

What this does:

  • Shows internal TCP information
  • Displays congestion control, window sizes, etc.
  • Advanced networking details

:bulb: Common Troubleshooting Scenarios

Scenario 1: Port Already in Use

Problem: Service won't start because port is already in use.

Solution:

  1. Find what's using the port:

    sudo ss -tlnp | grep :80

  2. Check the process:

    sudo ss -tlnp sport :80

  3. Stop the conflicting service:

    sudo systemctl stop conflicting-service

Example:

sudo ss -tlnp | grep :22

Shows what's using SSH port 22.

Scenario 2: Check if Service is Listening

Problem: Service should be listening but connections fail.

Solution:

  1. Check if service is listening:

    sudo ss -tlnp | grep servicename

  2. Check specific port:

    sudo ss -tlnp | grep :80

  3. Verify service is running:

    systemctl status servicename

Scenario 3: Find Active Connections

Problem: Need to see what the system is connected to.

Solution:

ss -tn state established

Shows all active connections.

With process info:

sudo ss -tnp state established

Scenario 4: Monitor Network Activity

Problem: Need to monitor network connections in real-time.

Solution: Use watch to continuously monitor:

watch -n 1 'ss -tn state established'

Updates every second.

Or use a loop:

while true; do clear; ss -tn state established; sleep 1; done

Scenario 5: Find Connections to Specific Host

Problem: Need to see all connections to a specific server.

Solution:

ss -tn dst 192.168.1.100

Shows all connections to that IP.

With process info:

sudo ss -tnp dst 192.168.1.100

Scenario 6: Check Listening Ports for Security

Problem: Security audit - need to see all open ports.

Solution:

sudo ss -tlnp

Shows all TCP listening ports with processes.

Include UDP:

sudo ss -tulnp

Only show ports (no process info):

ss -tln

Scenario 7: Find Process Using Network

Problem: High network usage, need to find the process.

Solution:

sudo ss -tunp

Shows all connections with process information.

Filter by state:

sudo ss -tunp state established

Shows only active connections with processes.

Scenario 8: Troubleshoot Connection Issues

Problem: Connection hanging or timing out.

Solution:

  1. Check connection state:

    ss -tn state all | grep problematic-ip

  2. Check for time-wait connections:

    ss -tn state time-wait

  3. Check socket queues:

    ss -tn

Look for high Recv-Q or Send-Q values.

:keyboard: Quick Reference

Basic Commands

ss                    # All connections
ss -a                 # All sockets (including listening)
ss -l                 # Listening sockets only
ss -p                 # Show process info (requires sudo)
ss -n                 # Numeric addresses (no DNS)
ss -r                 # Resolve hostnames

Protocol Filters

ss -t                 # TCP only
ss -u                 # UDP only
ss -tun               # TCP and UDP, numeric
ss -tunp              # TCP/UDP, numeric, with processes

State Filters

ss -tn state established    # Active connections
ss -tn state listening      # Listening sockets
ss -tn state all            # All states

Port Filters

ss -tn sport :80            # Source port 80
ss -tn dport :80            # Destination port 80
ss -tn port :80             # Either source or destination
ss -tn dport :8000-9000     # Port range

Address Filters

ss -tn dst 192.168.1.100    # Connections to IP
ss -tn src 192.168.1.100    # Connections from IP
ss -tn dst 192.168.1.0/24   # Connections to network

Statistics and Information

ss -s                 # Summary statistics
ss -e                 # Extended information
ss -m                 # Memory usage
ss -o                 # Timer information
ss -i                 # Internal TCP info

Common Combinations

sudo ss -tlnp              # All TCP listening ports with processes
sudo ss -tunp              # All TCP/UDP connections with processes
ss -tn state established   # Active TCP connections
sudo ss -tlnp | grep :80   # What's using port 80

Summary

This guide covered:

  1. Basic Commands:
  • Getting help and version info
  • Viewing all connections
  • Showing listening ports
  1. Protocol Filtering:
  • TCP connections
  • UDP connections
  • Combined protocols
  1. Connection State Filtering:
  • Established connections
  • Listening sockets
  • All states
  1. Port Filtering:
  • Source ports
  • Destination ports
  • Port ranges
  1. Address Filtering:
  • Specific IPs
  • Network ranges
  1. Statistics:
  • Summary statistics
  • Extended information
  • Memory and timer info
  1. Troubleshooting Scenarios:
  • Port conflicts
  • Service listening checks
  • Network monitoring
  • Security auditing

Next Steps:

  • Practice with common port numbers (22, 80, 443, 3306, etc.)
  • Combine with systemctl to manage services using ports
  • Use with journalctl for comprehensive troubleshooting
  • Learn about firewall rules with iptables or firewalld

For service management, see the Systemctl Troubleshooting Guide. For log analysis, see the Journalctl Troubleshooting Guide.